One spring day in 2010, a hacker named Kevin Finisterre knew he had hit the jackpot. A network he had been casing finally broadcast the live video and audio feed of a police cruiser belonging to a US-based municipal government. His jaw dropped as a computer in his home office in Columbus, Ohio showed the vehicle—with flashing blue lights on and siren blaring—charging down a road of the unnamed city.

A burly 31-year-old with glasses and pork-chop sideburns, Finisterre has spent more than a decade applying his combination of street smarts and technical skills to pierce digital fortresses. For instance, he once accessed the work account of an engineer for a large utility company. Finisterre used a pilfered profile from Hotjewishgirls.com to trick the engineer into thinking he was interacting with a flirtatious 26-year-old woman, until the engineer finally coughed up enough personal information to make an attack on his corporate account successful.

It's not a bad way to earn a living.

Thrill of the hunt

Finisterre is one of the "good guys." He works as a penetration tester who gets paid to hack into Fortune 1000 casinos, banks, and energy companies; exploits like these are all in a day's work.

"I really, really love it," he says of his job—currently senior research consultant at security firm Accuvant Labs. "I've been able to get exposed to a lot of things that I wouldn't get exposed to unless I was trying to get myself arrested. What other opportunity are you going to get to try to hack into a bank?"

It's a common sentiment.

"There is a thrill," agreed Billy Rios, the 33-year-old leader of a team at Google acting as the company's front line of defense. "You're going up against some of the largest organizations in the world. They're basically hiring you to thwart them and circumvent all their security mechanisms."

Alex Lanstein at Interpol headquarters

Alex Lanstein

Rios' team at Google has an inauspicious name—Web or Other Product Security—but he and his colleagues review every advisory sent to the security@google.com e-mail address. They analyze reported bugs throughout the entire range of Google software and services, from the Chrome browser to Google+ and Gmail. When they determine the validity of a given bug report, they often exploit the flaw so they can assess its severity. Finally, Rios's group will repair the flaw or assign the fix to an engineering team.

Alex Lanstein also knows the feeling of adrenaline surging through his veins when chasing down malicious hackers. But the 26-year-old also enjoys the satisfaction of knowing his work has made a difference to literally hundreds of millions of Internet users. Over the past four years, he's been instrumental in taking down botnets pumping out tens of billions of spam e-mails each day.

It all started in 2008. Lanstein and his colleagues at security firm FireEye reverse engineered a botnet dubbed Srizbi, which used a date-based algorithm to periodically generate new sets of domains from which the botnet's shadowy controllers could issue new orders to their network. Lanstein soon discovered that when the Internet names used to host one of Srizbi's command and control channels were severed—as would later happen with the November 2008 shutdown of a notorious Web hosting company called McColo—the malware was programmed to dynamically produce new names with pseudo-random strings. It then instructed all infected machines to begin taking orders from servers located at these addresses. By dynamically changing the command and control domains, the Srizbi operators planned to stay one step ahead of those trying to disrupt their botnet.

Recognizing that Srizbi differed from most of the other botnets hosted by McColo, Lanstein took his findings to one of his contacts at VeriSign (one of the gatekeepers for the .com addresses used exclusively by Srizbi's domain generation algorithm). Verisign set aside the names that the botnet would generate for the next year or two, and the 500,000 machines that belonged to the botnet became orphans, no longer under the influence of the botnet's operators. The result: Srizbi was incapacitated, with the exception of a brief resurrection attempt that ultimately proved futile.

"Even though the other bots that were at McColo—Rustock and Pushdo—were able to come back up, we were holding Srizbi down," Lanstein said. "That showed as long as you really understand the way the malware works, you can hold it off pretty effectively."

In the coming years, Lanstein's analysis and contacts proved crucial in taking down other prolific spam botnets. His victories included Mega-D and Rustock, which at their height were among the Internet's biggest sources of junk messages. When he was unable to convince several domain registrars to suspend Mega-D domain names that violated their terms of service, Lanstein relied on webhost contacts who agreed to turn off the botnets' servers. The FireEye research was cited in legal papers filed against operators of both botnets.

"I got to go to court with Microsoft and the Justice Department and go in front of a federal judge and say those are bad guys doing bad things," Lanstein said. "It's pretty cool to be a part of that."

For 38-year-old Arian Evans, the satisfaction of being vice president of operations at WhiteHat Security lies in the opportunity to deliberately break the applications that banks, social media providers, and other businesses use to deliver online services.

"I was the kid who would take apart the VCR and figure out how to put it back together," Evans said. "Taking it apart was for me just as fun, if not more fun, than putting it back together."

His team of 82 inflicts daily pain on Web apps used by more than 7,000 sites. He compares this grueling hacker brutality to the rigorous series of collision tests car manufacturers inflict on their automobiles to make sure they're safe.

"We're building the modern crash test dummies for the Internet," he says. "We're trying to simulate the accident to help [customers] build more robust software before the bad guys can cause a crash."

Arian Evans likens the hacking of Web apps to building "crash test dummies for the Internet."

"We're building the modern crash test dummies for the Internet," he says. "We're trying to simulate the accident to help [customers] build more robust software before the bad guys can cause a crash."

Isn't part of the problem that while we know how to build better software, for various reasons developers don't follow those methodologies? How much of a job would these guys/gals have left if we simply built correctly in the first place?

"We're building the modern crash test dummies for the Internet," he says. "We're trying to simulate the accident to help [customers] build more robust software before the bad guys can cause a crash."

Isn't part of the problem that while we know how to build better software, for various reasons developers don't follow those methodologies? How much of a job would these guys/gals have left if we simply built correctly in the first place?

I think the take-away is that crazy schedule and cost constraints put in place by out of touch project managers actually create jobs. They also don't hurt PR as much if everybody's making the same mistakes.

"We're building the modern crash test dummies for the Internet," he says. "We're trying to simulate the accident to help [customers] build more robust software before the bad guys can cause a crash."

Isn't part of the problem that while we know how to build better software, for various reasons developers don't follow those methodologies? How much of a job would these guys/gals have left if we simply built correctly in the first place?

You could use that line of reasoning against pretty much any service industry job out there. If people were good at understanding and handling money, we wouldn't need financial advisors. If contractors didn't cut corners, we wouldn't need repairmen and home inspectors. But that's the world we live in...

"We're building the modern crash test dummies for the Internet," he says. "We're trying to simulate the accident to help [customers] build more robust software before the bad guys can cause a crash."

Isn't part of the problem that while we know how to build better software, for various reasons developers don't follow those methodologies? How much of a job would these guys/gals have left if we simply built correctly in the first place?

You could use that line of reasoning against pretty much any service industry job out there. If people were good at understanding and handling money, we wouldn't need financial advisors. If contractors didn't cut corners, we wouldn't need repairmen and home inspectors. But that's the world we live in...

Arian Evans' picture is one of the most ridiculous things I've ever seen. Even worse, it appears (from the credit) that he provided it himself.

Swordfish style! I wonder if he works on 12 monitors, or knows how to crack 1024 bit encryption by hand in under 60 seconds with a gun to his while some chick the boss picked up last night performs oral sex on him.

Isn't part of the problem that while we know how to build better software, for various reasons developers don't follow those methodologies? How much of a job would these guys/gals have left if we simply built correctly in the first place?

It's taken us 40 years of crash-test science to substantially move the bar on automotive design & build safety. This is because it's a fairly complex subject, and the size, power and feature set on cars has also evolved rapidly, requiring constant adaptation to new build/implementation techniques, new materials, and new designs. This is why we're heading into the 4th generation of crash-test dummies.

In software it's even more challenging - software is much more bespoke/custom, and has a shorter life span than a car before being modified or replaced. Which requires higher speed adaptation and refactoring to address new technologies, and legacy and new technologies glued together.

Assuming that the solution is simply to "build secure software" hasn't worked in many industries building anything more complex or volatile than a bridge, which is typically built to withstand a threat profile that projected 100 years. The exception being the airplane manufacturers, which operate under a criteria somewhere between cars and bridges, and who do full spectrum testing and vetting including crash testing. A plane has a projected lifespan of 30-50 years under expectation of rigorous review and maintenance. These expectations only evolved after lots of planes fell out of the sky, many people died, entire fleets were grounded and people stopped flying. Eventually, we agreed to pay a lot more for safety in the air, where human life is concerned. Not so much for Facebook widgets and mobile apps tied to websites we pay $5 for to transfer money in our back accounts.

Arian Evans' picture is one of the most ridiculous things I've ever seen. Even worse, it appears (from the credit) that he provided it himself.

It's actually a public photo from my Gmail/Google+ and FB profile. You can download a copy to scare children if you prefer.

It just so happened on a wedding party we wound up in front of a mafia-like construction site in tuxedos so I quickly borrowed a smoke and posed. It's arguably beyond ridiculous and hard not to laugh at which makes a great choice for avatars and flame-bait.

However if the goal is to represent hackers in a diffused, reality-grounded light I've asked Dan if something more subdued may make sense. Since it's probably the most likely picture of the group to sensationalize comments - I suspect it will stay

Arian Evans' picture is one of the most ridiculous things I've ever seen. Even worse, it appears (from the credit) that he provided it himself.

It's actually a public photo from my Gmail/Google+ and FB profile. You can download a copy to scare children if you prefer.

It just so happened on a wedding party we wound up in front of a mafia-like construction site in tuxedos so I quickly borrowed a smoke and posed. It's arguably beyond ridiculous and hard not to laugh at which makes a great choice for avatars and flame-bait.

However if the goal is to represent hackers in a diffused, reality-grounded light I've asked Dan if something more subdued may make sense. Since it's probably the most likely picture of the group to sensationalize comments - I suspect it will stay

Then the "bad guys" pay a "evil hacker" to hire the "good hacker" and convince him/her that they are doing a legit job when in fact they are helping in stealing the item. We could start the movie with the "good guys" breaking into a bank and then eventually we could have the "evil" hackers" hire them to steal a small hardware box that can decrypt anything.

I guess instead of saying "that is so 17 seconds ago" I could say that is so 1992.

It's actually a public photo from my Gmail/Google+ and FB profile. You can download a copy to scare children if you prefer.

It just so happened on a wedding party we wound up in front of a mafia-like construction site in tuxedos so I quickly borrowed a smoke and posed. It's arguably beyond ridiculous and hard not to laugh at which makes a great choice for avatars and flame-bait.

However if the goal is to represent hackers in a diffused, reality-grounded light I've asked Dan if something more subdued may make sense. Since it's probably the most likely picture of the group to sensationalize comments - I suspect it will stay.

Fair enough. At least you realize the reaction, and are aiming for it. In that context, I actually think you get bonus points.

I actually suspected it was posed, as very few cigarette smokers smoke cigarettes like that. I think people in the Red Army did...

Lol. I suspect that is either David Blythe or Joe Baric. You can find either gents on FB linked to me or part of our G+ granfalloons if your internets are linked with any of us, and perform your own photoanalysis. I like how the photographer, Garrett Arch Blythe, managed to stay out of the reflection. We have a running contest to capture and post douchy pictures of each of us on the internets and I think he's winning. Though I have a few waiting for choice publication moments. Let's just say neither of us is going into politics.

To those of you who think hacking is all fun... try lots of boredom as well. As a contractor in this world of cracking Fortune 1000's, you can spend many hours prodding and pulling and getting nowhere. Especially, when the company limits you to zero social engineering.

So while a great deal of fun when you get root (i.e. the root dance), it has plenty of boredom as well.

Best method to *ahem* break into the field is to perform security in the job you already have. Be doing security and you'll be noticed.

"Rios' team at Google has an inauspicious name—Web or Other Product Security"

Their security division is called "WOOPS"?!

It's The Goog, I've a fiver says it's entirely intentional haha

mtgarden wrote:

To those of you who think hacking is all fun... try lots of boredom as well. As a contractor in this world of cracking Fortune 1000's, you can spend many hours prodding and pulling and getting nowhere. Especially, when the company limits you to zero social engineering.

So while a great deal of fun when you get root (i.e. the root dance), it has plenty of boredom as well.

Best method to *ahem* break into the field is to perform security in the job you already have. Be doing security and you'll be noticed.

That's the thing though, it's a mindset. For some, the fun is in exploring and trying to find those holes. Even when you don't make progress, you _have_ made progress by finding one more thing that doesn't work. So sure, the victory is nice, but the "boring" part is just as fun for others. As the cliche goes, "it's not the destination, but how you get there."

deas187 wrote:

Biggiesized wrote:

deas187 wrote:

"hold on to ya butts..."

LMFAO! I was having trouble placing that picture, but now you've done it for me!

thanks! i thought more people would get it.................

Not sure if I got it or not, but I'm definitely picturing the first Jurassic Park.

"We're building the modern crash test dummies for the Internet," he says. "We're trying to simulate the accident to help [customers] build more robust software before the bad guys can cause a crash."

Isn't part of the problem that while we know how to build better software, for various reasons developers don't follow those methodologies? How much of a job would these guys/gals have left if we simply built correctly in the first place?

you can build better software but you can never build absolutely secure software. It's a near impossibility with the kind of constraints we have at the working level. There are time constraints, funding constraints, requirement constraints, use-case constraints etc... also, the more complex the software, the more holes; it' a given.

You're always going to have holes and sometimes these holes are glaring holes you simply don't catch because you're the one involved in actually building it. That is why there is signifigant value in peer review above management review, but failing that (in organisations), you have to pay someone to find the holes for you.

Given an unlimited budget and unlimited time frame to build the "better" software, I'm sure you could build a pretty foolproof product; but even then, I highly doubt it. Consider that many (if not most) successful break-ins/"hacks" are a direct result of social engineering; even the most proofed software is "hackable".

-see example above of hotjewishgirls.com for how this can be done. What normal people don't understand is that many people will give you exactly what you need provided you have the right hook. A guy going to hotjewishgirls.com... yeah, he's going to be easy prey for someone posing as a hot jewish girl looking for some action.

I don't have statistics but I'm a firm believer that most internet theft is a result of social engineering. See Nigerian scams. yes, we laugh at the ridiculousness of it, but these guys actually make mad bank doing that. They have a bait and a hook, people will bite.

Stuxnet was rumoured to have gotten into the system via a USB thumb drive and not a direct break into the system from an external source.

Stuxnet was rumoured to have gotten into the system via a USB thumb drive and not a direct break into the system from an external source.

According to the article on it, it propagated exclusively via USB. There's no mention of using the internet to propagate, only to phone home (though I think it assumed it would propagate over the internal network).

EDIT:Rereading the article, it explicitly does not use the internet in any way to propagate. All propagation is exclusively through intranet and USB.

The spy-industrial complex makes our military look open, efficient, and 100% ethical. At least Kim Dotcom was just acting - the "look" in that second photograph tells you the kind of people we are dealing with...